OpenVPN 2.5.0 – What is Coming to OpenVPN in 2019

Posted on Jan 9, 2019 by Derek Zimmer

OpenVPN is the old guard of the VPN world. It is powerful, stable, and it has a large and enthusiastic dev community backed by multiple commercial interests. A new dot release is scheduled to be released this year, with many new features that aim to make OpenVPN easier to use and resist censorship.

Here is what the OpenVPN Community is working on:

Hallmark Feature: Plugin support for Pluggable Transports.

The OpenVPN team has been working with the Operator Foundation to build support for Pluggable Transports. Pluggable Transports are obfuscation layers that go over a VPN to resist a third party from detecting and blocking or manipulating a VPN connection. Adding Pluggable Transports to OpenVPN make it harder to block or throttle OpenVPN in censorship countries and in nations that do not enforce net neutrality.

Currently, it is hard to use pluggable transports as a non-developer, because you have to set up an OpenVPN connection, then set up a separate proxy connection for the OpenVPN to tunnel through, and route everything properly without creating issues.

Being able to add Pluggable Transports as a plugin means that a user will be able to simply install the plugin for OpenVPN on both ends, and add a few matching commands on both ends to enable the same obfuscation. This is a tremendous leap forward in simplicity and will give everyone access to censorship resistance in a straightforward way.

What’s Next for Plugins?

Now that the foundation for Plugins is being implemented, the next step is for the community to develop the plugins to actually use. This will involve taking existing code from other projects and adapting it to the new Plugin API in OpenVPN. There’s a lot of Pluggable Transports out there, thanks to censorship resistance efforts for Tor and VPNs over the last few years.

Likely candidates for plugins in the near future are Obfs4, ShadowSocks, Meek, TapDance and Encrypted SNI. Adding these transports to OpenVPN promises to help the world resist censorship for years to come.

New Feature: WHQL Certified TAPv6 Driver

Windows Server 2016 and later currently will not support OpenVPN because the TAP driver is not verified by Microsoft Hardware Quality Labs. Server versions of Windows do not allow drivers that are not specifically approved by Microsoft. The TAPv6 driver has been extensively reworked to get approval and the process is ongoing, but this new TAP driver should make it into the 2.5.0 release.

New Feature: TLS-Crypt v2

TLS-Crypt is an OpenVPN native function that hardens OpenVPN networks against man-in-the-middle attacks and hardens connections against censorship. It works by sharing a static key that all clients use to pre-authenticate to a server before connecting. This has two purposes, it allows servers to ignore all attempts to connect without using the tls-crypt pre-shared key which increases resistance to denial-of-service attacks that attempt to overwhelm servers with connection requests. Secondly, it prevents third parties that do not have access to the tls-crypt pre-shared key from attempting to manipulate an OpenVPN connection.

The problem with the first generation of this feature is that all clients and servers must share the same key for the feature to work. This creates an issue where large VPN networks all share the same tls-crypt key which defeats the purpose of the Denial of Service resistance and allows a MITM to get established since they will have ready access to the tls-crypt key just by creating an account with that VPN provider. (Do note, that this is only a single layer of defense of many in OpenVPN. Gaining access to a tls-crypt key do not defeat the VPNs overall security, it only diminishes the effectiveness of this layer of defense.)

The new version of OpenVPN has second generation TLS-crypt support, where the server can store many TLS-crypt keys and issue a different key for every user. This make it so that only the client and server will have access to a particular TLS-crypt key, and none of the information is shared with other clients.

New Feature: Native IPv6 Blocking

OpenVPN can leak information through IPv6 if it is not properly configured and/or isolated by outside settings and firewalls. OpenVPN 2.5.0 introduces a command to disable IPv6 natively, eliminating IPv6 leaks through a simple line in the config file for OpenVPN. This greatly simplifies the process for protecting users from leaks and improves built-in privacy for OpenVPN.


VPN Service